Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Zimperium Releases Android Stagefright Exploit Code

Vendors that took measures to protect themselves against the Android Stagefright flaw are not at risk, but a large number of devices still are.

When the Stagefright vulnerability in Android was first announced on July 27, no proof-of-concept code was publicly released.

Several weeks later, on Aug. 5, Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake discussed the Stagefright flaw at the Black Hat USA conference, but still no exploit code was publicly released. That has changed, and the first proof-of-concept exploit code for Stagefright is now publicly accessible.

Stagefright is a vulnerability in the Android Stagefright media library, which is used to process content, including Multimedia Messaging Service (MMS) content. The Stagefright media library is found in Android versions 2.2 and higher, and when Drake first discovered the flaw, hundreds of millions of users were at risk.

Google has since issued patches for the flaws Drake discovered, though new Stagefright flaws, including CVE-3864, which Exodus Intelligence disclosed after the patch, are still a concern.

Further reading

Zimperium first shared the exploit it released today with approximately 30 device vendors and carriers, Drake said. "Vendors that took measures to protect themselves are not at risk; most devices, however, still are," he told eWEEK.

It's not entirely clear how many users today are still at risk from Stagefright. Zimperium has released a Stagefright detector mobile app, which alerts users if they are at risk. Drake noted that data collected from Zimperium's Stagefright Detector app is in the process of being analyzed. Zimperium is planning a blog post for a later date on what the company has been able to see from the data.

The actual proof-of-concept exploit code that Drake publicly released today is written in the Python programming language, though it isn't quite a point-and-click weaponized exploit.

"Using this exploit still requires some technical expertise, but obviously it is not as hard as building it in the first place," Drake said. "In addition, we added a 'newbie trap' for the less technically inclined folks out there."

Drake did not elaborate on what that "newbie trap," might be. Additionally, the proof-of-concept code was designed to run against a Samsung Galaxy Nexus device running Android 4.0.4.

"We chose this device specifically because of the partial implementation of ASLR [address space layout randomization]," Drake said. "Our line of thinking was that removing variables from the equation would remove some complexity and help us develop the exploit more quickly."

Released in 2011, Android 4.0.4 is an old version of the operating system. Since Black Hat, Zimperium has been working on an exploit that targets the Nexus 6 running Android 5.1, but the company is not ready to share the details of the Android 5.1 proof-of-concept exploit at this time, Drake said.

ASLR is a technology that Google has claimed will help to mitigate the Stagefright flaw, which Drake admits is partly true. "However, since media server automatically restarts, it is possible to use brute-force tactics to bypass ASLR," Drake said. "We have confirmed this is possible both via MMS and through the browser."

ASLR has been bypassed in many exploits in the past, according to Drake. ASLR bypass usually involves a memory disclosure vulnerability or automatic respawning of a process.

While Zimperium and Drake, in particular, have gained a significant amount of notoriety thanks to Stagefright, there is still more mobile research to be done and more discoveries to be announced.